Threat Advisory: Remote Code Execution (RCE) vulnerability in Ivanti Sentry (CVE-2023-38035)
mnemonic researchers have discovered a zero day vulnerability within Ivanti Sentry, formerly MobileIron Sentry.
The vulnerability was discovered and responsibly disclosed to Ivanti. It is tracked as CVE-2023-38035 and has received a CVSS score of 9.8.
What is Ivanti Sentry?
Ivanti Sentry is a server in an Ivanti deployment that serves as a gatekeeper between mobile devices and a company’s ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource such as a Sharepoint server, or it can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. Sentry gets configuration and device information from the Ivanti Endpoint Manager Mobile (EPMM) platform.
The vulnerability: CVE-2023-38035
Successful exploitation allows an unauthenticated threat actor to read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of “super user do” (sudo).
Ivanti reports exploitation is only possible towards some API endpoints in the System Manager Portal (commonly known as MICS – MobileIron Configuration Service), which runs on port 8443 by default. If port 8443 is not exposed to the internet, a threat actor requires internal access. The vulnerable System Manager Portal is used to communicate with the Ivanti EPMM server.
CVE-2023-38035 can therefore be exploited after exploiting CVE-2023-35078 and CVE-2023-35081.
Affected Systems
This vulnerability affects all supported versions of Ivanti Sentry; versions 9.18, 9.17 and 9.16. Older versions/releases are also at risk.
Recommendations
Ivanti has released RPM scripts for each of the supported versions.
Ivanti’s also recommends ensuring external access to Ivanti Sentry on port 8443 is blocked, and where possible, restricting access to a management network that only IT administrators have access to.
See Ivanti’s security advisory and blog for more information.
Updates
23.08.2023
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-38035 to its Known Exploited Vulnerabilities Catalog. CISA recommends those using Ivanti Sentry to apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
25.08.2023
A proof of concept (POC) exploit has now been released for CVE-2023-38035. According to Shodan, more than 500 Sentry servers have port 8443 exposed to the internet, as per. 25.08.2023.